Quick answer
You can’t fully prevent an OCR investigation, because most of what starts one is outside your control. The most common trigger is a complaint, which anyone can file through OCR’s portal. A breach affecting 500 or more people forces a report within 60 days and draws heavy scrutiny. Ransomware is now a leading cause. OCR also opens reviews from smaller breach reports, media coverage, and referrals from other agencies. What you can control is what OCR finds once it arrives, and that almost always starts with your written Risk Analysis.
Most small practice owners picture an OCR investigation as something that happens to big hospitals after a giant hack. The reality is quieter and closer to home. A single upset patient, a vendor that gets breached, or a local news story can put your small practice in front of the Office for Civil Rights. Here are the six things that actually trigger an OCR investigation, and the one thing you can do about it.
How do OCR investigations actually start?
OCR’s main job is to investigate complaints, but that is not the only door in. According to OCR’s own description of how it enforces HIPAA, it also opens “compliance reviews” on its own, prompted by media reports, referrals from other agencies, and trends in the complaints and breach reports it receives. So an investigation can begin with or without a complaint, and with or without a breach. Here are the six most common starting points for a small practice.
1. A complaint from a patient or a former employee
This is the big one. Anyone who believes you mishandled their health information can file a complaint through OCR’s online portal, generally within 180 days of finding out, for conduct in the past six years. Patients do it. So do former employees, which is the one most owners forget.
It does not take a hack. In 2019, a Dallas dental practice paid $10,000 to OCR after a patient complained that the practice had revealed her information in a reply to her Yelp review. One annoyed patient, one public reply, one complaint, one investigation.
2. A breach affecting 500 or more people
Under the Breach Notification Rule at 45 CFR 164.400-414, a breach of 500 or more individuals must be reported to OCR without unreasonable delay and no later than 60 days, and you also have to notify prominent local media. Large breaches are posted publicly and draw the most scrutiny. For a small practice, “500 people” is not a high bar. A single stolen laptop or one misconfigured system can clear it.
3. A ransomware attack or a cyber incident
Ransomware has become one of the most reliable ways to land in front of OCR. The attack forces a breach report, the report opens an investigation, and the investigation almost always finds the same gap. OCR’s Risk Analysis Initiative, running since late 2024, has produced settlement after settlement on exactly this pattern. In April 2026 alone, OCR settled four ransomware investigations covering 427,000 patients for $1.165 million, and this month it reached its 20th ransomware settlement. Small practices are squarely in scope, not exempt.
4. A smaller breach in your annual report
Breaches affecting fewer than 500 people do not require an immediate report, but you still have to log them and report them to OCR within 60 days of the end of the calendar year. These feel minor, and most are. The risk is the pattern. OCR specifically watches for trends across the breach reports it receives, so a string of small incidents can prompt a compliance review even though no single one was large.
5. A news story
You do not have to report yourself for OCR to notice. OCR opens compliance reviews based on media reports. If a local outlet runs a story about a clinic that exposed patient records, that coverage alone can put the practice on OCR’s radar. In a small market, a single article in the local paper is enough.
6. A referral from another agency
OCR does not work in isolation. It takes referrals from other state and federal agencies, including state attorneys general, the FTC, and CMS. And if a complaint suggests a criminal HIPAA violation, OCR can refer it to the Department of Justice. So a state privacy investigation or an FTC inquiry into your marketing data can hand OCR a reason to open its own file.
One more path worth knowing: OCR also runs a periodic audit program that selects entities for review with no complaint or breach at all. It is less common than the six above, but it exists.
Can you actually prevent any of this?
Mostly, no. You cannot stop a patient from filing a complaint, a vendor from getting breached, or a reporter from writing a story. Chasing the triggers is the wrong goal, because most of them are out of your hands.
Here is the part you do control: what OCR finds once it arrives. Every one of these paths leads to the same first request. OCR asks for your written Risk Analysis under 45 CFR 164.308(a)(1)(ii)(A). If you can hand over a current, thorough one, you are in a defensible position no matter how the investigation started. If you cannot, the trigger barely matters, because the gap is the same one OCR cites in the large majority of its enforcement actions. Civil penalties in 2026 run from $145 to $2,190,294 per violation under Federal Register 2026-01688, and small-practice settlements almost always add a multi-year corrective action plan.
What to do next
Stop trying to control the trigger and start controlling the outcome. Make sure you have a documented, current Risk Analysis that covers every system touching patient data, and that you can produce it on short notice. That single document is what turns an OCR letter from a crisis into a paperwork exercise.
That is the work behind our HIPAA Risk Analysis service, and if you want to know what the first days of an investigation actually look like, we walked through it in the first 72 hours of an OCR investigation. Not sure where you stand? The $750 Privacy Exposure Review gives you your top three risks in 48 hours.
The investigation may not be up to you. What it finds is.
Last Updated: June 24, 2026